Description
The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type.
Published: 2026-03-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized booking status modification
Action: Patch ASAP
AI Analysis

Impact

The Timetics WordPress plugin prior to version 1.0.52 lacks authorization checks on a REST endpoint, allowing any user—including unauthenticated visitors—to arbitrarily change the payment status and post status of "timetics-booking" custom posts. This results in the unauthorized alteration of booking records, potentially marking unpaid reservations as paid, enabling fraudulent claims, or disrupting inventory and financial reporting. The weakness is categorized as CWE‑862, reflecting an improper authorization flaw.

Affected Systems

Vulnerable systems include any WordPress site running the Timetics plugin at a version older than 1.0.52. The affected version information is explicitly cited: "before 1.0.52". Sites using newer releases are not impacted.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, with an EPSS score of less than 1% suggesting a low likelihood of exploit. It is not listed in the CISA KEV catalog. The likely attack vector inferred from the description is a remote unauthenticated request to the plugin’s REST endpoint.

Generated by OpenCVE AI on March 18, 2026 at 14:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Timetics plugin to version 1.0.52 or newer.

Generated by OpenCVE AI on March 18, 2026 at 14:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Timetics
Timetics timetics
Wordpress
Wordpress wordpress
Vendors & Products Timetics
Timetics timetics
Wordpress
Wordpress wordpress

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type.
Title Timetics < 1.0.52 - Unauthenticated Payment/Booking Status Update
References

Subscriptions

Timetics Timetics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-12T13:40:38.873Z

Reserved: 2026-01-06T21:31:10.819Z

Link: CVE-2025-15473

cve-icon Vulnrichment

Updated: 2026-03-12T13:40:24.930Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T06:16:30.417

Modified: 2026-03-12T21:07:53.427

Link: CVE-2025-15473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:00Z

Weaknesses